winfunc has autonomously found security vulnerabilities in some of the biggest companies
Get started in 3 simple steps.
Connect Codebase
Link your GitHub repositories securely. We map your architecture instantly.
Autonomous Audit
Receive a deep-dive security audit with PoCs for every vulnerability found.
Continuous Protection
Automated patches via PRs. We scan every commit to keep you zero-day safe.
Enterprise security. Fully autonomous.
One platform that combines SAST, SCA, AI triage, and automated remediation — from first scan to merged fix.
Vulnerability Detection
Multi-phase static analysis with source-to-sink tracking. Every finding includes an executable proof-of-concept — zero false positives, guaranteed.
Learn moreDependency Scanning
Continuous software composition analysis across npm, pip, Maven, Go, and more. CVE and OSV coverage with severity-based prioritization.
Learn moreAI-Generated Patches
Autonomous patch generation delivered as pull requests. Fix vulnerabilities without context-switching — review, merge, ship.
Learn moreAI Security Assistant
Context-aware AI triager that understands your codebase. Ask questions, validate findings, and prioritize remediation in natural language.
Learn morePR Security Scanning
Scan every pull request automatically. Catch vulnerabilities before they reach production with incremental diff-based analysis.
Learn moreSecurity Scoring & Reporting
Organization-wide security posture scoring, vulnerability trending, aging analysis, and professional PDF-exportable reports.
Learn moreCustom Scan Rules
Configure focus and reporting rules to guide the AI agent's analysis. Tailor scans to your security requirements and compliance needs.
Learn moreInfrastructure & Cloud
Find misconfigurations and exposures across cloud environments. IaC scanning for Terraform, CloudFormation, and Kubernetes.
Learn moreFunction-Level Analysis
Deep code comprehension with reachability analysis, complexity metrics, taint tracking, and cross-reference mapping for every function.
Learn moreCI Integration
Native pipeline integration for GitHub Actions, GitLab CI, Jenkins, and more. Blocking gates, SARIF output, and inline PR comments.
Learn moreSecrets Detection
High-precision detection of API keys, tokens, passwords, and certificates embedded in code, config files, and environment variables.
Learn moreAPI Security
Deep analysis of REST, GraphQL, and gRPC endpoints. Detects IDOR, broken auth, missing rate limits, and injection vectors.
Learn moreBuild-time security enforcement.
Security policies as a type system. One file per endpoint. Meet Dome.
ast-grep rules fail the build on missing auth or raw SQL.
Pingora proxy enforces rate limits, auth, response scanning.
Landlock/Seatbelt profiles with per-endpoint isolation.
Trusted by security-first teams.
Hear from engineering leaders who rely on Winfunc to protect their codebases.
"Our engineering team has a background in writing secure code, including building auth platforms and payments platforms for multi-billion dollar companies. We tend to be very mindful of security best practices. Yet Winfunc's initial run surfaced several exploitable vulnerabilities for us to patch in order to keep our platform and our customers' data secure. We've worked with third party penetration testers in the past, but I love that Winfunc can protect us with continuous vulnerability scanning instead of saying goodbye after a one-time engagement, especially as we grow our team and as more of our codebase is generated by LLMs."
"Winfunc's initial run surfaced several exploitable vulnerabilities for us to patch."
"Winfunc is beyond impressive. The agent found complex bypasses other tools missed."
"Winfunc had a seamless onboarding experience. I was able to get a detailed scan in less than a day."
"Winfunc offers a great user experience for discovering and researching potential security issues."
Latest from the lab.
Hacking the old HackerNews codebase
Auditing the old HackerNews codebase for security vulnerabilities with LLMs on a specialized harness.
What an automated vulnerability research system actually found
Thirteen patched bugs across nine projects, including Node.js, React, NGINX, Mattermost, Supabase, Bun, Gumroad, Anthropic's MCP SDK, and Better-Auth. What the system got right, where it still falls over, and why executable PoCs matter more than model reasoning.
How Asterisk Works
N-Day-Bench
A monthly adaptive benchmark measuring the capability of frontier LLMs to discover real-world vulnerabilities in open-source software. Every case is sourced from GitHub security advisories disclosed after each model's knowledge cutoff.
Latest Leaderboard
April 2026How It Works
Sources fresh GitHub security advisories disclosed after each model's training cutoff. Applies strict qualification filters to accept only real, non-trivial vulnerabilities.
The model under test analyzes the vulnerable codebase with no prior knowledge of the advisory. Must independently discover the vulnerability through source-to-sink reasoning.
A blinded evaluator scores findings on target alignment (30%), reasoning (30%), impact (20%), evidence quality (10%), and overclaim control (10%).
All traces are publicly browsable. See exactly how each model reasons about real-world vulnerabilities.
Explore N-Day-BenchFrequently
asked questions.
Winfunc adopts a combination of on-the-fly generated tree-sitter queries, plug-and-play language servers (LSP), and LLM-powered analysis for ingesting codebase context with 100% accuracy.
The team has worked on the problem of "codebase comprehension" for more than a year. Winfunc adopts this work and thus supports all major programming languages. So if you have a codebase written in Haskell, Elixir, Clojure, Lua, or you name it - we support it.
We have demonstrated this by finding vulnerabilities in the old HackerNews codebase written in "Arc", a dialect of Lisp with no parsers out in the wild.